[Bro] bro comparison to snort operation

Seth Hall seth at icir.org
Wed Jun 26 10:42:18 PDT 2013 

On Jun 26, 2013, at 1:21 PM, John Babio <jbabio at po-box.esu.edu> wrote:

> I need some clarification. I am trying to understand  the operations of Bro and it relates to how snort operates. I am having a little trouble with a few things.

Don't try to draw those comparisons.  They're only going to lead to confusion for you. :)

> 1.Where are default rules/signatures/scripts stored in the folder structure?

<prefix>/share/bro

> 2. What log file are we supposed to pay attention to? Communication, Notices, Weird or all of them?

Any and all logs could be important depending on what you're investigating.  Certain logs like communication.log, notice_policy.log, and loaded_scripts.log are Bro doing some internal accounting so that if you have questions about how it's behaving you may be to figure that out.

In "normal" operation the weird log tends to be of less value too (please correct me if someone uses that a lot!).  Typically the most important logs are the ones that provide some sort of network activity logging (i.e. http.log, smtp.log, conn.log, dns.log, software.log, etc)

> 3. Where do we place custom bro scripts we write?

I typically recommend that people place scripts into <prefix>/share/bro/site/ and use the local.bro script in that directory to load their scripts.

> 4. Is there a skeleton of a basic script somewhere so I know where to start?

I would take a look at the scripts in <prefix>/share/bro/policy/ (there are quite a few) to get a general feel of the land.  That directory and all of it's subdirectories are where most of the scripts are that detect various things.

> 5. Where in Bro to I specify sending the data to an external ELSA server?

That is something you'll have to do outside of Bro.  We don't have any direct integration at this point in time.  The SecurityOnion project should be able to provide some guidance there since they ship with Bro logs integrated in ELSA

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/

More information about the Bro mailing list